Balbooa Forms CVE-2026-56291 actively exploited vulnerability
CISA KEV active-exploitation listing plus NVD/vendor/reference enrichment.
- Signals
- 4
- Last updated
- 2026-07-10
- Hunting
- Has script
An automated threat intelligence aggregator providing a central hub for supply chain attacks and actively exploited vulnerabilities.
SIEM Ingestion Feed docsCISA KEV active-exploitation listing plus NVD/vendor/reference enrichment.
CISA KEV active-exploitation listing plus NVD/vendor/reference enrichment.
CISA added CVE-2026-48282 affecting Adobe ColdFusion to the Known Exploited Vulnerabilities catalog on 2026-07-07. This post scopes exposure, fixed-version evidence, and IR handling without treating advisory sites as IOCs.
CISA added CVE-2026-56290 affecting Joomlack Page Builder to the Known Exploited Vulnerabilities catalog on 2026-07-07. This post scopes exposure, fixed-version evidence, and IR handling without treating advisory sites as IOCs.
Joomlack Page Builder contains an improper access control vulnerability that could allow for remote code execution via unauthenticated arbitrary file upload. CISA added it to KEV on 2026-07-07, making it an in-scope exploited-vulnerability coverage item.
CISA added CVE-2026-48908 affecting JoomShaper SP Page Builder to the Known Exploited Vulnerabilities catalog on 2026-07-07. This post scopes exposure, fixed-version evidence, and IR handling without treating advisory sites as IOCs.
CISA added CVE-2026-55255 affecting Langflow Langflow to the Known Exploited Vulnerabilities catalog on 2026-07-07. This post scopes exposure, fixed-version evidence, and IR handling without treating advisory sites as IOCs.
Langflow contains an authorization bypass through user-controlled key vulnerability which allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request. CISA added it to KEV on 2026-07-07, making it an in-scope exploited-vulnerability coverage item.
CISA added CVE-2026-45659 affecting Microsoft SharePoint Server to the Known Exploited Vulnerabilities catalog on 2026-07-01. This post scopes exposure, fixed-version evidence, and IR handling without treating advisory sites as IOCs.
Microsoft SharePoint Server contains a deserialization of untrusted data vulnerability which allows an authorized attacker to execute code over a network. CISA added it to KEV on 2026-07-01, making it an in-scope exploited-vulnerability coverage item.
CISA added CVE-2026-48558 affecting SimpleHelp SimpleHelp to the Known Exploited Vulnerabilities catalog on 2026-06-29. This post scopes exposure, fixed-version evidence, and IR handling without treating advisory sites as IOCs.
SimpleHelp contains an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a vulnerable configuration, a remote, unauthenticated attacker can submit a forged token containing arbitrary identity claims to obtain a fully authenticated technician session. In some configurations, this may also allow bypass of multi-factor authentication. CISA added it to KEV on 2026-06-29, making it an in-scope exploited-vulnerability coverage item.
pnpm disclosed a cluster of package-manager vulnerabilities affecting lockfile integrity, Git dependency fetching, repository registry configuration, patch application, and symlink creation; responders should inventory vulnerable pnpm versions and review credential-bearing install paths.
CycloneDX cdxgen before 12.4.3 could execute shell metacharacters from repository-controlled Maven module paths when scanning attacker-controlled projects, putting developer workstations and CI SBOM runners at risk.
On June 26, 2026, multiple @immobiliarelabs Backstage plugin versions were published to npm with a binding.gyp node-gyp hook and a new 5 MB index.js payload. Treat affected Backstage builds and developer or CI installs as credential exposure until lockfiles, package caches, and downstream audits are clean.
CISA added CVE-2026-20230 affecting Cisco Unified Communications Manager to the Known Exploited Vulnerabilities catalog on 2026-06-25. This post scopes exposure, fixed-version evidence, and IR handling without treating advisory sites as IOCs.
StepSecurity disclosed a June 24, 2026 Leo Platform npm supply-chain compromise affecting 20 packages published in a three-second burst. Socket and Sonatype then tied three more malicious npm packages to the same Miasma / Mini Shai-Hulud Phantom Gyp tradecraft, extending the incident into a 23-package campaign update.
CISA added CVE-2026-12569 affecting PTC Windchill and FlexPLM to the Known Exploited Vulnerabilities catalog on 2026-06-25. This post scopes exposure, fixed-version evidence, and IR handling without treating advisory sites as IOCs.
Mutable refs for simonecorsi/mawesome including latest, v1, v2, and v2.2.0 currently resolve to a composite action that installs Bun and always runs an obfuscated JavaScript payload, exposing GitHub Actions runners that still trust those tags.
An attacker force-pushed a malicious composite action into codfish/semantic-release-action and moved fifteen published tags to that commit, exposing GitHub Actions runners that still trusted mutable refs such as v3, v4, and v5.
CISA added CVE-2025-67038 affecting Lantronix EDS5000 to the Known Exploited Vulnerabilities catalog on 2026-06-23. This post scopes exposure, fixed-version evidence, and IR handling without treating advisory sites as IOCs.
CISA added CVE-2026-34908 affecting Ubiquiti UniFi OS to the Known Exploited Vulnerabilities catalog on 2026-06-23. This post scopes exposure, fixed-version evidence, and IR handling without treating advisory sites as IOCs.
CISA added CVE-2026-34909 affecting Ubiquiti UniFi OS to the Known Exploited Vulnerabilities catalog on 2026-06-23. This post scopes exposure, fixed-version evidence, and IR handling without treating advisory sites as IOCs.
CISA added CVE-2026-34910 affecting Ubiquiti UniFi OS to the Known Exploited Vulnerabilities catalog on 2026-06-23. This post scopes exposure, fixed-version evidence, and IR handling without treating advisory sites as IOCs.
Socket says two trojanized Open VSX extensions delivered a TinyGo-compiled WebAssembly loader that read Solana memo data to resolve `dodod[.]lat`, then built OS-specific download-and-execute commands for developer endpoints.